rsa decision tree wp 0711
TRANSCRIPT
THE RSA AUTHENTICATION DECISION TREE
Select the Best Authentication Solution for Your Business
White Paper
“What is the best authentication solution for my business?” This is a recurring question
being asked by organizations around the globe. With the number of new and emerging
security products being denoted by analysts as the “silver bullet” solution, it is critical to
recognize that there are many authentication choices available on the market. Before
making a final selection as to the authentication solution that will work best,
organizations must consider their user authentication needs, the threats targeting their
business, their business objectives and the regulatory guidelines that impact their
industry.
RSA has developed the Authentication Decision Tree – a comprehensive tool to help
organizations understand, evaluate and select the most appropriate authentication
solution to meet the needs of their users and their business. The RSA Authentication
Decision Tree provides a framework to help narrow the selection of authentication
solutions based on five critical factors. This white paper provides an overview of the
Authentication Decision Tree, examines the five factors critical to selecting an
authentication solution, and offers a clear guide to selecting the right solution that
effectively balances risk, cost and end user convenience.
The Need for Strong Authentication
Protecting access to information and assuring the identities of users requesting that
access is a core element of any security initiative. In the last few years, numerous
industry regulations have been issued that require organizations to enact strong
authentication security measures to protect against unauthorized access to information.
Today, as functionality and technology move to new channels, so do the threats that
target sensitive data – driving an increasing demand for strong authentication across the
organization.
The online and mobile channels. Recognizing the new business opportunities, cost
efficiencies and the customer service aspects associated with providing real-time access
to information online, many organizations are offering an increasing number of Web-
based customer portals and business applications that enable customers to access and
manage their accounts 24/7. Mobile access – smart phones in particular – provide
customers with similar access and often offer even more functionality through
customized applications.
PAGE 2
Remote and mobile access. The global nature of business and employee mobility has
forced many organizations to provide around-the-clock access from multiple locations
and multiple devices – including mobile – to enable employee productivity.
Access for new user populations. Today’s organizations are extending access privileges
beyond the employee to external contractors, partners and suppliers. These new user
populations require on-demand access to proprietary information such as sales forecasts,
competitive intelligence, pricing charts, inventory, and customer data.
The State of User Authentication
Despite the fact that “password-only” authentication is recognized for providing relatively
weak security, the use of a single password as a means of assuring user identities
continues to dominate. However, the authentication method once viewed as “free”
has actually become expensive in terms of ongoing management and support costs.
According to the Help Desk Institute, roughly 30 percent of all help desk calls are for
password resets – and cost between $25 to $50 per call.
New authentication methods continue to appear on the market making the selection even
more challenging for organizations looking to implement a strong authentication strategy.
In the enterprise, hardware authenticators still dominate for securing access to corporate
resources. Yet, employee mobility and the use of mobile phones and PDAs have caused
an increase in demand for software authenticators. For consumer-facing portals, risk-
based authentication and knowledge-based authentication are common security
mechanisms because of their ease-of-use and their scalability to a mass user base.
With so many authentication options available on the market, organizations are finding it
difficult to establish an authentication strategy. For many organizations, multiple
authentication options can be selected based on factors such as the user population, the
value of information being protected, portability and user experience. RSA developed the
Authentication Decision Tree to help organizations weigh the assorted options objectively
and align the needs of their users and their business to make the optimum choice.
Critical Factors to Consider in Developing an Authentication Strategy
There are five critical factors to consider in developing an appropriate authentication
strategy. These five factors are:
– The value of the information being protected
– The strength of user authentication to apply
– Planned usage
– Needs of the end user population
– Technical environment
The value of protected information
The first factor to consider is the value of the information to be protected and the cost of
unauthorized access to that information. Proprietary business data, bank account and
credit card details, health records or personally identifiable information (PII) are all types
of information that could be considered high value. And unauthorized access to that
information could be costly (i.e., a bank having to assume the costs of unauthorized fund
transfers for customers) and detrimental to a company’s brand and reputation. The
higher the value of the information is and the higher the risk to the organization if the
data is accessed by an unauthorized user, the stronger the authentication solution that is
needed to protect it.
PAGE 3
The strength of user authentication to apply
Considering the user population and the information being accessed by those users can
help organizations determine the level of user authentication to apply. For example,
organizations cannot force authentication on their customers so considerations in
selecting a solution for this user base might be convenience and willingness to adopt.
For employees and partners, however, organizations have more control over the types of
authentication to deploy and will more likely consider features such as portability, total
cost of ownership and overall management.
Planned usage
When organizations deploy an authentication solution, there is often more than one
business objective to be met. In other words, depending on the user and the types of
activities performed, an organization might determine that additional layers of
authentication are needed beyond just assuring user identities. For example, a financial
institution seeking to decrease their fraud losses might implement a transaction
monitoring solution to monitor high-risk money transfers. Another example to consider
would be for enterprise users. An organization might require certain users that work with
and exchange highly sensitive information – such as HR, payroll and finance – to have an
authentication solution that enables file and e-mail encryption.
End user population
When deploying authentication to an end user community, there are many factors to
consider depending on the end user population. From the user’s perspective,
organizations must consider aspects such as ease-of-use, the user’s willingness to adopt
and the information the user will be accessing. From the organization’s perspective,
consideration must include total cost of ownership, training requirements, scalability to
end users and mobility of the solution.
Technical environment
Finally, the technical environment where the solution will be deployed is important in
helping to determine such factors as what level of authentication strength to apply. For
example, in an environment where desktops are more controlled and anti-virus software
is likely to be up-to-date, security requirements may not be as rigorous compared to a
scenario where the user environment is not as controlled and a large percentage of the
user population is accessing the network from remote locations around the world.
Another technical consideration is the range of end user devices being used for access.
For both corporate and customer-facing applications, the end user base is likely to be
accessing information from devices ranging from laptops and desktops to PDAs and
mobile phones to kiosks. The types of access devices are important in determining the
authentication form factors offered to end users.
Today, many organizations regularly issue smart phones (i.e., iPhone, Android, or
Blackberry) that enable access to corporate email. This relatively new aspect of mobility –
often referred to as “the consumerization of IT” – increases employee productivity and
flexibility. These benefits, coupled with the increasing functionality and power of new
devices are fueling the drive for the use of consumer devices for business use. But this
trend also introduces many issues and questions for the organization, including how to
manage the costs of ongoing IT support for the exploding variety of devices, where to
draw the line for that support, and how to manage the growing security threats
introduced by mobility.
PAGE 4
The Authentication Decision Tree
In light of the number of new authentication methods and technologies, the increasing
value of information, new user populations requiring access to networks and applications,
the proliferation of advanced threats and a complex regulatory environment,
organizations are being driven to re-evaluate their existing authentication strategy.
There are many existing authentication solutions to evaluate and market buzz about
certain authentication technologies make the assessment difficult for many
organizations. Biometric solutions, for example, enjoy a disproportionate share of media
coverage compared to their actual deployment in the market. These solutions require
expensive and cumbersome readers, making it an impractical solution for mobile or
remote access or adoption by a mass consumer audience.
The RSA Authentication Decision Tree was designed for organizations to evaluate their
user and business needs objectively against the readily available authentication
technologies on the market in order to ease the decision-making process. As the market
has yet to come up with a universal solution that will meet every business requirement
and address the security needs for all users and all scenarios, the RSA Authentication
Decision Tree can be used to help organizations select the most appropriate
authentication solution, or combination of solutions, while balancing risk, cost and end
user convenience.
How to Use the Authentication Decision Tree
In determining what solution(s) will work best for an organization, the RSA Authentication
Tree examines the following criteria:
– Control over the end user environment
– Access methods to be used
– Requirements of access across multiple locations or devices
– The need for disk, file or e-mail encryption
– Fraud prevention
– Size of the end user base
Control over the end user environment
Control over the end user environment is critical in determining the appropriate
authentication method.
Considerations include things such as whether the organization is allowed to install
software on the end user’s system or consumer device, and whether they can dictate the
operating system platform an end user is required to work on.
But why is this so important? Looking at something as simple as being able to control the
operating system is important because not all authentication solutions are going to be
compatible with all operating systems universally. In an enterprise environment, the
organization has direct control over the operating systems on user devices. However,
there is no control over the operating systems of external users, such as customers and
partners, so the authentication method offered to these populations may be different.
Access methods to be used
Access methods are very important in determining an authentication strategy. Some
authentication methods only work for accessing Web-based applications while others can
be used to authenticate to multiple, non-Web based applications. Therefore, taking into
account the user, their access rights, and their planned usage will have a direct effect on
the authentication methods selected.
PAGE 5
Requirements of access across multiple locations or devices
The global nature of business and increased employee mobility has created a demand for
around-the-clock access from multiple locations and multiple devices – including mobile
devices. For employees or partners, providing the option of anytime, anywhere access is
critical to sustaining productivity; for customers, it is important for maintaining customer
satisfaction. Above all, providing the anywhere, anytime option for users to access
information securely is critical to the continuation of business.
Factors to weigh include:
– Do you need to accommodate user access from varying remote locations?
– Do you need to accommodate user access from unknown systems such as kiosks, hotel
systems or shared workstations?
– Do you need to accommodate user access from varying devices such as PDAs, mobile
phones, or other consumer devices (i.e., tablets)?
The need for disk, file or e-mail encryption
When evaluating an authentication strategy, organizations should consider the other
business purposes that it may want the authentication method to address. For example,
a healthcare organization might have the need to encrypt protected health information
(PHI) or other personally identifiable information (PII) of a patient as it is transmitted
between departments and facilities in order to meet HIPAA regulations. In this instance,
the healthcare organization might require individuals with access rights to PHI and PII to
access the data only from trusted machines.
Fraud prevention
Some authentication methods are required to monitor transactions and activities that are
performed by a user after initial authentication at login in order to prevent fraud. While
this scenario is relevant primarily for financial services applications, other industries are
beginning to experience targeted attacks, such as phishing and malware, by
cybercriminals for the purpose of gaining deeper access to a company’s infrastructure to
collect personal and/or proprietary corporate data that can be sold on the black market.
Size of the end user base
The size of the end user base being protected is important as cost is often one of the
biggest considerations – especially for small to mid-sized businesses. Several
authentication solutions are designed – and priced - specifically for a very small or
very large user base.
A Myriad of Authentication Possibilities
Passwords
Passwords provide single-factor authentication for assuring user identities. While initial
acquisition is free, there are ongoing management and support costs (password resets,
for example) which can wind up being expensive in the long-term. The level of security
provided is very low and passwords are prone to hackers and sharing among individuals.
Knowledge-based authentication
Knowledge-based authentication is a method used to authenticate an individual based
on knowledge of personal information, substantiated by a real-time interactive question-
and-answer process. The questions presented to a user are gleaned from scanning public
record databases, are random and previously unknown or unasked to the user.
PAGE 6
Risk-based authentication
Risk-based authentication is a system that measures – behind-the-scenes – a series of
risk indicators to assure user identities and/or authenticate online activities. Such
indicators include certain device attributes, user behavioral profiles, device profiles and
IP geo-location. The higher the risk level presented, the greater the likelihood is that an
identity or action is fraudulent. If the risk engine determines the authentication request
to be above the acceptable policy, then risk-based authentication provides the option to
“step-up” authentication. In a step-up authentication scenario, a user may be asked to
answer a few challenge questions, or submit an authorization code delivered to a phone
via SMS (text) message or e-mail.
One-time password authentication
One-time password (OTP) authentication is a leading two-factor authentication solution;
it is based on something you know (a PIN or password) and something you have (an
authenticator). The authenticator generates a new OTP code every 60 seconds, making it
difficult for anyone other than the genuine user to input the correct code at any given time.
To access information or resources protected by one-time password technology, users
simply combine their secret personal identification number (PIN) with the token code that
appears on their authenticator display at that given time. The result is a unique, one-time
password that is used to assure – positively – a user’s identity.
One-time password technology is available in many form factors including:
– Hardware authenticators. Traditional hardware authenticators (sometimes referred to as
“key fobs”) are portable devices that are small enough to fit on a key chain and meet the
needs of users who prefer a tangible solution or who access the Internet from a number
of different locations.
– Software authenticators. Software authenticators (for PCs, USB drives, or mobile
devices) are typically offered as an application or in a toolbar format that is securely
placed on a user’s desktop, laptop or mobile device.
– On-demand. On-demand authentication involves delivery of a unique OTP “on demand”
via SMS (text message) to a mobile device or a user’s registered e-mail address. Upon
receipt of the unique OTP, a user simply enters it, along with their PIN when challenged,
to gain access to their corporate network or an online application.
Digital certificates
A digital certificate is a unique electronic document containing information that identifies
the person or machine to which it is bound. The digital certificate can be stored on a
desktop, smart card or USB. For stronger two-factor authentication, the digital certificate
can be locked on a smart card or USB, requiring the user to enter a PIN in order to unlock
the certificate and use the credential. The digital certificate can then be utilized to
authenticate a user to a network or application. In addition to being used for user
authentication, digital certificates can add value to the enterprise by enabling digital
signatures or e-mail encryption.
Digital certificates can also be combined with OTP deployments using a hybrid
authenticator. In this case, the hybrid authenticator stores multiple credentials and
streamlines the end user experience. A common use case for a combined certificate and
OTP deployment is to unlock hard disk encryption with a digital certificate followed by
authentication to a VPN with a one-time password.
PAGE 7
Analyzing the Authentication Attributes
Once an organization assesses the needs of its business and its users, selecting the
appropriate authentication strategy based on the available choices ultimately is a
tradeoff among a number of variables:
1. Strength of security
2. Typical use case
3. Client-side requirements
4. Portability
5. Multiple use
6. User challenges
7. Distribution requirements
8. System requirements
9. Cost
The RSA Authentication Decision Tree can help organizations make the relevant
comparisons among the authentication methods that are designed to meet their
requirements. By using this simple framework, organizations are provided with an
objective assessment among the leading authentication solutions.
While cost is an important consideration, organizations must consider a number of
other elements in determining what is most suitable to their needs. Too often, the focus
is on acquisition cost alone, but in considering that as a priority factor, one only needs
to look to password-only authentication to prove that cost should never be the only
consideration. Passwords are essentially “free” in terms of acquisition cost; however,
they are surprisingly expensive in terms of ongoing management and support costs.
RSA Solutions
For more than 25 years, RSA has been a leading provider of strong two-factor
authentication solutions. RSA offers a variety of solutions to help businesses of all sizes
provide strong authentication while balancing risk, cost and end user convenience.
RSA SecurID® Authentication
RSA SecurID® one-time password technology provides a leading two-factor authentication
solution; it is based on something you know (a PIN or password) and something you have
(an authenticator). The authenticator itself can be one of a variety of formats, or form
factors, which are described later in this section. RSA SecurID authentication offers a
unique symmetric key (or “seed record”) that is combined with a proven algorithm to
generate a new onetime password (OTP) every 60 seconds. Patented technology
synchronizes each authenticator with the security server, ensuring a high level of security.
To access resources that are protected by the RSA SecurID system, users simply combine
their secret Personal Identification Number (PIN) with the token code that appears on
their authenticator display at that given time. The result is a unique, one-time password
that is used to assure a user’s identity positively. RSA SecurID authentication is available
in the following form factors to meet the needs of organizations and their users:
Hardware Authenticators
From a usability perspective, traditional hardware authenticators (sometimes referred to
as “key fobs”) are small enough to fit on a key chain and meet the needs of users who
prefer a tangible solution or access the Internet from a number of different locations.
PAGE 8
Hybrid Authenticator with Digital Certificates
The RSA SecurID 800 authenticator is a hybrid device that combines the simplicity and
portability of SecurID authentication with the power and flexibility of a smart card in one
convenient USB form factor. The 800 offers standards-compliant digital certificate support
for disk and file encryption, authentication, signing and other applications and
strengthens simple password authentication by storing users’ domain credentials on a
hardened security device. By combining multiple credentials and applications in a single
device, the 800 is a master key that enables strong authentication across a
heterogeneous IT environment in a way that is both simple and seamless for the end user.
An Authentication Decision Tree Scenario
Company profile A large healthcare organization representing several
regional hospitals and specialty health centers that
serves more than 1.5 million patients.
User groups Physicians, payers and insurers, patients and
healthcare administrators
Business and user needs Physicians are constantly on the go, moving among
multiple facilities, and stay connected to healthcare
and patient records through a laptop, Blackberry or
other mobile device. This enables instant, secure
access to pertinent health records to ensure the highest
quality of patient care.
Payers and insurers need access to patient records,
medical history and services performed in order to
settle or adjust claims.
Healthcare administrators are always in need of
access to protected health information and personally
identifiable information (PII) of patients. From case
workers to billing specialists, access to patient
information is critical to their job performance.
Patients are provided access to their personal
information and medical history through a Web-
enabled portal. In addition to making updates to their
personal information, they are provided a number of
other convenient online services such
as the ability to schedule appointments, submit
prescription renewal requests and pay medical bills.
Authentication choices With a diverse user base that requires access to
various systems and for different needs, this
healthcare organization would likely need to consider
a myriad of authentication solutions including:
– Physicians: Software-based OTP for mobile devices
– Payers and insurers: Hardware tokens
– Healthcare administrators: Hardware tokens
– Patients: Risk-based authentication
PAGE 9
Software Authenticators
RSA SecurID software authenticators use the same algorithm as RSA SecurID hardware
authenticators – but provide an added benefit for mobile users by eliminating the need for
users to carry dedicated hardware devices. Instead of being stored in SecurID hardware, the
symmetric key is safeguarded securely on the user’s PC, smart phone or USB device.
Mobile Devices
RSA SecurID software authenticators are available for a variety of smart phone platforms
including BlackBerry®, iPhone, Android, Microsoft Windows® Mobile, Java™ ME, Palm OS,
Symbian OS and UIQ devices.
Microsoft Windows® Desktops
The RSA SecurID Token for Windows Desktops is a convenient form factor that resides on
a PC and enables automatic integration with leading remote access clients.
OTP Token Toolbar
The RSA SecurID Toolbar Token combines the convenience of auto-fill capabilities for Web
applications with the security of anti-phishing mechanisms.
On-demand (delivered via SMS or e-mail)
RSA On-demand Authentication delivers a unique one-time password “on demand” via
SMS (text message) to a mobile device or a user’s registered e-mail address. Upon receipt
of the unique OTP, a user simply enters it, along with their PIN when challenged, to gain
access to their corporate network or an online application.
RSA® Authentication Manager Express
RSA® Authentication Manager Express is a strong multi-factor authentication platform that
provides cost-effective protection for small- to mid-sized organizations. Authentication
Manager Express works with leading SSL VPNs and Web-based applications to enable
strong authentication and secure access to protected applications and data.
Authentication Manager Express is powered by RSA risk-based authentication technology
– the same technology that protects the identities of more than 250 million users
worldwide. This sophisticated system measures a series of risk indicators behind-the-
scenes to assure user identities. RSA Authentication Manager Express considers multiple
factors in determining the risk associated with each access request including:
– Something the user knows such as a username and password
– Something the user has such as a laptop, desktop PC, or mobile device
– Something the user does such as recent authentication and account activity
RSA Authentication Manager Express can invoke additional authentication methods in
the event an access request does not meet the required assurance level. This is
especially true in situations where a remote user is logging in from a device that is not
recognized and has not been previously used to access the network. RSA Authentication
Manager Express provides two methods for additional authentication: out-of-band SMS
and challenge questions.
RSA Authentication Manager Express is delivered on a plug-and-play appliance and
supports up to 2,500 users.
PAGE 10
RSA® Adaptive Authentication
RSA® Adaptive Authentication is a multi-channel authentication and fraud detection
platform that provides cost-effective protection for an entire user base. Adaptive
Authentication involves introducing additional identifiers actively with the simple
addition of a cookie and/or a flash shared object (also referred to as “flash cookie”)
which serves as a more unique identifier of a user’s device. The solution provides strong
and convenient protection by monitoring and authenticating user activities based on risk
levels, institutional policies and user segmentation. Powered by RSA’s risk-based
authentication technology, Adaptive Authentication tracks over one hundred indicators to
identify potential fraud including device profiles, IP geo-location and user behavioral
profiles. Each activity is assigned a unique risk score; the higher the score, the greater
the likelihood is that an activity is fraudulent.
Adaptive Authentication offers behind-the-scenes monitoring that is invisible to the user.
It is only when an activity is deemed to be high-risk that a user is then challenged to
provide additional authentication, usually in the form of challenge questions or out-of-
band phone authentication. With low challenge rates and high completion rates,
Adaptive Authentication offers strong protection and superior usability and is an ideal
solution for deployment to a large user base.
RSA Adaptive Authentication is available in both SaaS (software as a service) and
on-premise deployments. The solution is highly scalable and can support millions of
users.
RSA® Identity Verification
RSA Identity Verification utilizes knowledge-based authentication to assure user
identities in real-time. RSA Identity Verification presents a user with a series of “top-of-
mind” questions utilizing information on the individual that is obtained by scanning
dozens of public record databases. Within seconds, RSA Identity Verification delivers a
confirmation of identity, without requiring any prior relationship with the user.
RSA Identity Verification also provides improved accuracy in authenticating users with
the Identity Event Module. The Identity Event Module improves security by measuring the
level of risk associated with an identity and allowing the configuration of the system to
adjust the difficulty of the questions automatically during the authentication process in
order to meet the specific nature of the risk. Some of the identity events that are
measured include:
– Public record searches. Suspicious access to a user’s public record reports.
– Identity velocity. A high volume of activity associated with an individual at several
businesses.
– IP velocity. Multiple authentication requests generated from the same IP.
PAGE 11
RSA® Certificate Manager
The RSA® Certificate Manager is an Internet-based certificate authority solution that
provides core functionality for issuing, managing and validating digital certificates. It
includes a secure Web server and a powerful signing engine for signing end user
certificates digitally, and an integrated data repository for storing certificates, system
data and certificate status information. The RSA Certificate Manager was the first to be
common criteria certified and is also Identrust certified.
Certificate Manager is built using open industry standards, making it interoperable with
hundreds of standards-based applications out-of-the-box. Therefore it can be leveraged
across other applications including Webbrowsers, e-mail and VPN clients to ensure
maximum return on investment. It also provides the option to store credentials in Web
browsers or on smart cards and USB tokens. For example, RSA digital certificates can be
combined with the SecurID 800 hybrid authenticator to consolidate multiple credentials
on a single device, simplifying the end user experience. Additional components of the
RSA Digital Certificate Solution include RSA Registration Manager, RSA Validation
Manager, RSA Key Recovery Module and RSA Root Signing Services.
RSA, the RSA logo, EMC2, EMC and where information lives are registered trademarks or trademarks of EMC
Corporation in the United States and other countries. All other trademarks used herein are the property of their
respective owners. ©2011 EMC Corporation. All rights reserved. Published in the USA.
DECTREE WP 0711
About RSA
RSA is the premier provider of security, risk and compliance solutions, helping the
world’s leading organizations succeed by solving their most complex and sensitive
security challenges. These challenges include managing organizational risk,
safeguarding mobile access and collaboration, proving compliance, and securing
virtual and cloud environments.
Combining business-critical controls in identity assurance, data loss prevention,
encryption and tokenization, fraud protection and SIEM with industry leading eGRC
capabilities and consulting services, RSA brings trust and visibility to millions of user
identities, the transactions that they perform and the data that is generated.
www.rsa.com